Re: [security-services] Proposed Agenda SSTC Conference Call (October 20, 2009)

[Josh Howlett <josh.howlett@gmail.com>]

> 6. Assorted threads on saml-dev/comment list
>   - SAML Attribute Management protocol discussion.
>   - Metadata/IOP/Kerberos/Front channel binding discussion.

I was intending to comment on this, but I fumbled the mute button on  
my phone.

 From the thread in question:

>> The reason I ask is because I have recently been trying to understand
>> the feasibility of using the Kerberos protocol within a SAML system
>> (as opposed to the more typical use of X.509 credentials or public  
>> key
>> crypto in general).
>
> That would generally be covered by the concepts, but the profile isn't
> written to support that particular use case at the moment.

My preferred approach is to modify the Metadata IOP so that it  
considers the case where Kerberos data (specifically, an element  
naming a Kerberos principal) is available within the <KeyDescriptor>.  
In this way, its use is analogous to <KeyName>.

Using this information, a metadata consumer is able to prove that a  
SAML Requester/Responder/Issuer is authorised to act as a  
authenticated Kerberos principal.

Does this seem a reasonable approach?

josh.